The following abbreviations that may be found in the specification and/or the drawing figures are defined as follows:
AP access point
ARP address resolution protocol
DHCP dynamic host configuration protocol
IANA Internet assigned names authority
IEEE Institute for Electrical and Electronics Engineers
IP internet protocol
IPsec internet protocol—secure
NAT network address translation
SIG special interest group
SCTP stream control transmission protocol
SP service provider
TCP transmission control protocol
UDP user datagram protocol
VPN virtual private network
UE user equipment
WFA Wi-Fi Alliance®
Wi-Fi name for IEEE 802.11x networks
WLAN wireless local access network
One priority issue for the IEEE 802.11 SIG is to allow a wireless networking hotspot to “push” information, that is, to send unsolicited information such as, for example, notifications or advertisements, to devices connected to the hotspot. For example, a notification could be sent to warn users of individual connected devices that the time authorized for connectivity is nearing expiration. In one common practice, a user is directed to a captive portal when first attaching to a public hotspot (for example, at an airport). The captive portal may present the user with one or more options for Internet access, such as payment for a defined time period or acceptance of conditions for free access, and wireless network operators grant access, whether paid or free, only for a defined time period after which additional payment or renewal of acceptance of conditions may be required. Once the user has fulfilled the conditions for access, the Wi-Fi network operator opens the gates for Internet access for the user for the duration of the specified time period. Notifications contemplated above would enable the user to meet conditions for continued access, such as purchasing additional access time, prior to expiration of the current session.
Enterprise users in public locations often access a hotspot to set up a VPN connection with a secure server. The user starts the VPN client and thereby establishes an IPsec tunnel between the user's host device and the VPN gateway in the enterprise network. The VPN client in the host device creates a virtual interface and all the traffic to the host device uses the IPsec tunnel and the VPN interface. Traffic through the tunnel is encrypted (IPsec ESP tunnel mode) and hence therefore secure. Despite the fact that the secure VPN tunnel passes through the hotspot itself, the hotspot is itself unable to inject into the secure VPN link a message to warn the host device that its network access time is about to expire. There is an increasing use of VPNs for various reasons that go beyond enterprise connectivity.
The Wi-Fi Alliance (WFA) has initiated a new activity, Hotspot 2.0, aimed at specifying a behavior for the 802.11 access points and clients to enable the above noted notifications. Specifically, there are to be options for auto-renew and for push notifications which the WFA requirements document characterizes as follows:                Auto Renew: When an end-user with a limited Wi-Fi plan (e.g. time-based) is in a session in a Hotspot, and when the plan is about to expire, the end user receives a notification on his or her device that the current session is about to expire. The user need not have the web browser opened. The notification provides the ability to the end user to extend the session and need not require the end-user to re-enter the permanent or temporary credentials (e.g. credit card).        Push notifications: Generic interface for notifications may also be used for other purposes defined by the SP (information on subscription, marketing info, push of services advertisements, etc).        
Auto renew messages and push notifications might traditionally be sent using a split VPN, in which the selectors in the client on the host device are configured in such a way that only a limited set of applications use the IPSec VPN tunnel and so the auto-renew and push notifications can be sent outside that limited set. But this approach opens a potential security vulnerability, and hence many enterprise networks do not allow split VPNs, which typically cannot be overridden at the host device. For this reason the WFA has stipulated that at least the auto renew function is to operate even when split tunneling is disabled.
What is needed in the art is a way for an access point or other node of an access network to send the above contemplated messages to a user device regardless of whether that user device is connected as host to a secure VPN.